AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Burp suite intruder1/17/2024 ![]() ![]() When adding a macro, you will be redirected to a pop up screen with your HTTP history captured by Burp Suite. ![]() Our rule is now finished, and will now execute the reauth macro every time a response comes back that contains the text “session failed”. If this is the case we will run the re authentication macro. It is for the same reason that the “ Response body” option is ticked and we instructed Burp Suite to check if the string “ session failed” is in our request response. In our use case, the current request will tell us using the error body “ session failed” that our session is not valid anymore, which is why the “ Issue current request” is ticked. Here you can specify which request should be ran to check if the session is still valid or not. You should be redirected to the Session handling action editor. Once you have set your rule action, edit it by selecting the action and pressing the Edit button. In the rule actions click the “Add” button and choose Check session is valid. Keep this one, and add your own custom rule. In the first section of the screen you should now see a standard rule called “ use cookies from Burp’s cookie jar“. The “Sessions” section in Burp can be found under “Project Options” Burp Session rules In Burp, go to the “project options” tab and choose sessions Here is an example on how to achieve this: IF ("session failed" in response.body OR = 403 ): re-authenticate In this case pseudocode for this problem would look a little like this: ![]() Using this functionality, it is possible to trigger certain requests automatically given a certain condition. So, we needed to find a way to bypass these restrictive sessions! Burp Session Handling Rules to the rescue!įortunately for us, Burp Suite provides a solution for this called “Burp Session Handling Rules”. This presented a unique challenge, as most of our automated tools and techniques had no reliable way of working as the base requests that were being used as entry point, always contained invalid cookies as the lifetime of a session was about 2 minutes and the anti-CSRF token was unique per request (as it should be). Recently, NVISO was tasked to do a penetration test on a web application that had very short authenticated sessions and that implemented anti CSRF tokens. ![]()
0 Comments
Read More
Leave a Reply. |